
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 1.5.2 release notes &#8212; Django 1.11.22.dev20190603194737 documentation</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Django 1.5.1 release notes" href="1.5.1.html" />
    <link rel="prev" title="Django 1.5.3 release notes" href="1.5.3.html" />



 
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);
</script>


  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 1.11.22.dev20190603194737 documentation</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="1.5.3.html" title="Django 1.5.3 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.5.1.html" title="Django 1.5.1 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.5.2">
            
  <div class="section" id="s-django-1-5-2-release-notes">
<span id="django-1-5-2-release-notes"></span><h1>Django 1.5.2 release notes<a class="headerlink" href="#django-1-5-2-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>August 13, 2013</em></p>
<p>This is Django 1.5.2, a bugfix and security release for Django 1.5.</p>
<div class="section" id="s-mitigated-possible-xss-attack-via-user-supplied-redirect-urls">
<span id="mitigated-possible-xss-attack-via-user-supplied-redirect-urls"></span><h2>Mitigated possible XSS attack via user-supplied redirect URLs<a class="headerlink" href="#mitigated-possible-xss-attack-via-user-supplied-redirect-urls" title="Permalink to this headline">¶</a></h2>
<p>Django relies on user input in some cases (e.g.
<a class="reference internal" href="../topics/auth/default.html#django.contrib.auth.views.login" title="django.contrib.auth.views.login"><code class="xref py py-func docutils literal notranslate"><span class="pre">django.contrib.auth.views.login()</span></code></a>, <code class="docutils literal notranslate"><span class="pre">django.contrib.comments</span></code>, and
<a class="reference internal" href="../topics/i18n/index.html"><span class="doc">i18n</span></a>) to redirect the user to an “on success” URL.
The security checks for these redirects (namely
<code class="docutils literal notranslate"><span class="pre">django.utils.http.is_safe_url()</span></code>) didn’t check if the scheme is <code class="docutils literal notranslate"><span class="pre">http(s)</span></code>
and as such allowed <code class="docutils literal notranslate"><span class="pre">javascript:...</span></code> URLs to be entered. If a developer
relied on <code class="docutils literal notranslate"><span class="pre">is_safe_url()</span></code> to provide safe redirect targets and put such a
URL into a link, they could suffer from a XSS attack. This bug doesn’t affect
Django currently, since we only put this URL into the <code class="docutils literal notranslate"><span class="pre">Location</span></code> response
header and browsers seem to ignore JavaScript there.</p>
</div>
<div class="section" id="s-xss-vulnerability-in-django-contrib-admin">
<span id="xss-vulnerability-in-django-contrib-admin"></span><h2>XSS vulnerability in <a class="reference internal" href="../ref/contrib/admin/index.html#module-django.contrib.admin" title="django.contrib.admin: Django's admin site."><code class="xref py py-mod docutils literal notranslate"><span class="pre">django.contrib.admin</span></code></a><a class="headerlink" href="#xss-vulnerability-in-django-contrib-admin" title="Permalink to this headline">¶</a></h2>
<p>If a <a class="reference internal" href="../ref/models/fields.html#django.db.models.URLField" title="django.db.models.URLField"><code class="xref py py-class docutils literal notranslate"><span class="pre">URLField</span></code></a> is used in Django 1.5, it displays the
current value of the field and a link to the target on the admin change page.
The display routine of this widget was flawed and allowed for XSS.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Fixed a crash with <a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.prefetch_related" title="django.db.models.query.QuerySet.prefetch_related"><code class="xref py py-meth docutils literal notranslate"><span class="pre">prefetch_related()</span></code></a>
(#19607) as well as some <code class="docutils literal notranslate"><span class="pre">pickle</span></code> regressions with <code class="docutils literal notranslate"><span class="pre">prefetch_related</span></code>
(#20157 and #20257).</li>
<li>Fixed a regression in <a class="reference internal" href="../ref/contrib/gis/index.html#module-django.contrib.gis" title="django.contrib.gis: Geographic Information System (GIS) extensions for Django"><code class="xref py py-mod docutils literal notranslate"><span class="pre">django.contrib.gis</span></code></a> in the Google Map output on
Python 3 (#20773).</li>
<li>Made <code class="docutils literal notranslate"><span class="pre">DjangoTestSuiteRunner.setup_databases</span></code> properly handle aliases for
the default database (#19940) and prevented <code class="docutils literal notranslate"><span class="pre">teardown_databases</span></code> from
attempting to tear down aliases (#20681).</li>
<li>Fixed the <code class="docutils literal notranslate"><span class="pre">django.core.cache.backends.memcached.MemcachedCache</span></code> backend’s
<code class="docutils literal notranslate"><span class="pre">get_many()</span></code> method on Python 3 (#20722).</li>
<li>Fixed <a class="reference internal" href="../ref/contrib/humanize.html#module-django.contrib.humanize" title="django.contrib.humanize: A set of Django template filters useful for adding a &quot;human touch&quot; to data."><code class="xref py py-mod docutils literal notranslate"><span class="pre">django.contrib.humanize</span></code></a> translation syntax errors. Affected
languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).</li>
<li>Added support for wheel packages (#19252).</li>
<li>The CSRF token now rotates when a user logs in.</li>
<li>Some Python 3 compatibility fixes including #20212 and #20025.</li>
<li>Fixed some rare cases where <a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.get" title="django.db.models.query.QuerySet.get"><code class="xref py py-meth docutils literal notranslate"><span class="pre">get()</span></code></a>
exceptions recursed infinitely (#20278).</li>
<li><a class="reference internal" href="../ref/django-admin.html#django-admin-makemessages"><code class="xref std std-djadmin docutils literal notranslate"><span class="pre">makemessages</span></code></a> no longer crashes with <code class="docutils literal notranslate"><span class="pre">UnicodeDecodeError</span></code>
(#20354).</li>
<li>Fixed <code class="docutils literal notranslate"><span class="pre">geojson</span></code> detection with SpatiaLite.</li>
<li><a class="reference internal" href="../topics/testing/tools.html#django.test.SimpleTestCase.assertContains" title="django.test.SimpleTestCase.assertContains"><code class="xref py py-meth docutils literal notranslate"><span class="pre">assertContains()</span></code></a> once again works with
binary content (#20237).</li>
<li>Fixed <a class="reference internal" href="../ref/models/fields.html#django.db.models.ManyToManyField" title="django.db.models.ManyToManyField"><code class="xref py py-class docutils literal notranslate"><span class="pre">ManyToManyField</span></code></a> if it has a unicode <code class="docutils literal notranslate"><span class="pre">name</span></code>
parameter (#20207).</li>
<li>Ensured that the WSGI request’s path is correctly based on the
<code class="docutils literal notranslate"><span class="pre">SCRIPT_NAME</span></code> environment variable or the <a class="reference internal" href="../ref/settings.html#std:setting-FORCE_SCRIPT_NAME"><code class="xref std std-setting docutils literal notranslate"><span class="pre">FORCE_SCRIPT_NAME</span></code></a>
setting, regardless of whether or not either has a trailing slash (#20169).</li>
<li>Fixed an obscure bug with the <a class="reference internal" href="../topics/testing/tools.html#django.test.override_settings" title="django.test.override_settings"><code class="xref py py-func docutils literal notranslate"><span class="pre">override_settings()</span></code></a>
decorator. If you hit an <code class="docutils literal notranslate"><span class="pre">AttributeError:</span> <span class="pre">'Settings'</span> <span class="pre">object</span> <span class="pre">has</span> <span class="pre">no</span> <span class="pre">attribute</span>
<span class="pre">'_original_allowed_hosts'</span></code> exception, it’s probably fixed (#20636).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.5.2 release notes</a><ul>
<li><a class="reference internal" href="#mitigated-possible-xss-attack-via-user-supplied-redirect-urls">Mitigated possible XSS attack via user-supplied redirect URLs</a></li>
<li><a class="reference internal" href="#xss-vulnerability-in-django-contrib-admin">XSS vulnerability in <code class="docutils literal notranslate"><span class="pre">django.contrib.admin</span></code></a></li>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="1.5.3.html"
                        title="previous chapter">Django 1.5.3 release notes</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="1.5.1.html"
                        title="next chapter">Django 1.5.1 release notes</a></p>
  <div role="note" aria-label="source link">
    <h3>This Page</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/1.5.2.txt"
            rel="nofollow">Show Source</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">Jun 03, 2019</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="1.5.3.html" title="Django 1.5.3 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.5.1.html" title="Django 1.5.1 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>